>> Applications are now restricted where they can write to. I've found >> /usr/local and /opt are OK. I have not tried /var. > > According to https://en.wikipedia.org/wiki/System_Integrity_Protection, > /var is protected. > > You might try moving /var/root/.serverauth.6258 to /opt.
/var itself is protected, but is just a symlink to /private/var; and /private is redirected (firmlink set up automatically at boot) to /System/Volumes/private. So root's login directory of /var/root is still writable by root, as are files in it. It was for me even before I turned off SIP, anyway.
